The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-9064 | PHP Scripts Mall Cab Booking Script 1.0.3 allows Directory Traversal into the parent directory of a jpg or png file. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9065 | PHP Scripts Mall Custom T-Shirt Ecommerce Script 3.1.1 allows parameter tampering of the payment amount. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9066 | PHP Scripts Mall PHP Appointment Booking Script 3.0.3 allows HTML injection in a user profile. | LOW | Mar 20, 2019 | n/a |
| CVE-2019-9070 | An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls. | Medium | Mar 15, 2019 | n/a |
| CVE-2019-9071 | An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls. | Medium | Mar 15, 2019 | 10.19.45.1 (Wind River Linux LTS 19) |
| CVE-2019-9072 | An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c. | Medium | Mar 15, 2019 | n/a |
| CVE-2019-9073 | An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c. | Medium | Mar 15, 2019 | 10.19.45.1 (Wind River Linux LTS 19) |
| CVE-2019-9074 | An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c. | Medium | Mar 15, 2019 | 10.19.45.1 (Wind River Linux LTS 19) |
| CVE-2019-9075 | An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c. | Medium | Mar 15, 2019 | 10.19.45.1 (Wind River Linux LTS 19) |
| CVE-2019-9076 | An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c. | Medium | Mar 15, 2019 | n/a |
| CVE-2019-9077 | An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section. | Medium | Mar 15, 2019 | 10.19.45.1 (Wind River Linux LTS 19) |
| CVE-2019-9078 | zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter because inc/stopsqlin.php does not block a mixed-case string such as sCrIpT. | LOW | Mar 20, 2019 | n/a |
| CVE-2019-9080 | DomainMOD before 4.14.0 uses MD5 without a salt for password storage. | MEDIUM | Oct 21, 2020 | n/a |
| CVE-2019-9081 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | High | Feb 26, 2019 | n/a |
| CVE-2019-9082 | ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command. | High | Mar 5, 2019 | n/a |
| CVE-2019-9083 | SQLiteManager 1.20 and 1.24 allows SQL injection via the /sqlitemanager/main.php dbsel parameter. NOTE: This product is discontinued. | HIGH | Mar 26, 2019 | n/a |
| CVE-2019-9084 | In Hoteldruid before 2.3.1, a division by zero was discovered in $num_tabelle in tab_tariffe.php (aka the numtariffa1 parameter) due to the mishandling of non-numeric values, as demonstrated by the /tab_tariffe.php?anno=[YEAR]&numtariffa1=1a URI. It could allow an administrator to conduct remote denial of service (disrupting certain business functions of the product). | MEDIUM | Jun 11, 2019 | n/a |
| CVE-2019-9085 | Hoteldruid before v2.3.1 allows remote authenticated users to cause a denial of service (invoice-creation outage) via the n_file parameter to visualizza_contratto.php with invalid arguments (any non-numeric value), as demonstrated by the anno=2019&id_transazione=1&numero_contratto=1&n_file=a query string to visualizza_contratto.php. | MEDIUM | Jun 27, 2019 | n/a |
| CVE-2019-9086 | HotelDruid before v2.3.1 has SQL Injection via the /visualizza_tabelle.php anno parameter. | HIGH | Jun 9, 2019 | n/a |
| CVE-2019-9087 | HotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php numtariffa1 parameter. | HIGH | Jun 9, 2019 | n/a |
| CVE-2019-9093 | A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in file/file/upload in Humhub 1.3.10 Community Edition. The user-supplied input containing a JavaScript payload in the filename parameter is echoed back, which resulted in reflected XSS. | MEDIUM | Mar 26, 2019 | n/a |
| CVE-2019-9094 | A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in /s/adada/cfiles/upload in Humhub 1.3.10 Community Edition. The user-supplied input containing JavaScript in the filename is echoed back in JavaScript code, which resulted in XSS. | MEDIUM | Mar 26, 2019 | n/a |
| CVE-2019-9095 | An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. An attacker may be able to intercept weakly encrypted passwords and gain administrative access. | MEDIUM | Mar 12, 2020 | n/a |
| CVE-2019-9096 | An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. Insufficient password requirements for the MGate web application may allow an attacker to gain access by brute-forcing account passwords. | MEDIUM | Mar 11, 2020 | n/a |
| CVE-2019-9097 | An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. A high rate of transit traffic may cause a low-memory condition and a denial of service. | MEDIUM | Mar 11, 2020 | n/a |
| CVE-2019-9098 | An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. An Integer overflow in the built-in web server allows remote attackers to initiate DoS. | MEDIUM | Mar 11, 2020 | n/a |
| CVE-2019-9099 | An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. A Buffer overflow in the built-in web server allows remote attackers to initiate DoS, and probably to execute arbitrary code (issue 1 of 2). | HIGH | Mar 11, 2020 | n/a |
| CVE-2019-9101 | An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. Sensitive information is sent to the web server in cleartext, which may allow an attacker to discover the credentials if they are able to observe traffic between the web browser and the server. | MEDIUM | Mar 12, 2020 | n/a |
| CVE-2019-9102 | An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. A predictable mechanism of generating tokens allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism. | MEDIUM | Mar 12, 2020 | n/a |
| CVE-2019-9103 | An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. An attacker can access sensitive information (e.g., conduct username disclosure attacks) on the built-in WEB-service without authorization. | MEDIUM | Mar 12, 2020 | n/a |
| CVE-2019-9104 | An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. The application\'s configuration file contains parameters that represent passwords in cleartext. | MEDIUM | Mar 12, 2020 | n/a |
| CVE-2019-9105 | The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Small 05.01 build 1137 devices allows remote attackers to make several types of API calls without authentication, as demonstrated by retrieving password hashes via an inc/utils/REST_API.php?command=CallAPI&customurl=alladminusers call. | MEDIUM | Jun 3, 2019 | n/a |
| CVE-2019-9106 | The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Small 05.01 build 1137 devices allows remote attackers to execute or include local .php files, as demonstrated by menu=php://filter/convert.base64-encode/resource=index.php to read index.php. | HIGH | Jun 3, 2019 | n/a |
| CVE-2019-9107 | XSS exists in WUZHI CMS 4.1.0 via index.php?m=attachment&f=imagecut&v=init&imgurl=[XSS] to coreframe/app/attachment/imagecut.php. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9108 | XSS exists in WUZHI CMS 4.1.0 via index.php?m=core&f=map&v=baidumap&x=[XSS]&y=[XSS] to coreframe/app/core/map.php. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9109 | XSS exists in WUZHI CMS 4.1.0 via index.php?m=message&f=message&v=add&username=[XSS] to coreframe/app/message/message.php. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9110 | XSS exists in WUZHI CMS 4.1.0 via index.php?m=content&f=postinfo&v=listing&set_iframe=[XSS] to coreframe/app/content/postinfo.php. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9111 | The msm gpu driver for custom Linux kernels on the Xiaomi perseus-p-oss MIX 3 device through 2018-11-26 has an integer overflow and OOPS because of missing checks of the count argument in sde_evtlog_filter_write in drivers/gpu/drm/msm/sde_dbg.c. This is exploitable for a device crash via a syscall by a crafted application on a rooted device. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9112 | The msm gpu driver for custom Linux kernels on the Xiaomi perseus-p-oss MIX 3 device through 2018-11-26 has an integer overflow and OOPS because of missing checks of the count argument in _sde_debugfs_conn_cmd_tx_write in drivers/gpu/drm/msm/sde/sde_connector.c. This is exploitable for a device crash via a syscall by a crafted application on a rooted device. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9113 | Ming (aka libming) 0.4.8 has a NULL pointer dereference in the function getString() in the decompile.c file in libutil.a. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9114 | Ming (aka libming) 0.4.8 has an out of bounds write vulnerability in the function strcpyext() in the decompile.c file in libutil.a. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9115 | In irisnet-crypto before 1.1.7 for IRISnet, the util/utils.js file allows code execution because of unsafe eval usage. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9116 | DLL hijacking is possible in Sublime Text 3 version 3.1.1 build 3176 on 32-bit Windows platforms because a Trojan horse api-ms-win-core-fibers-l1-1-1.dll or api-ms-win-core-localization-l1-2-1.dll file may be loaded if a victim uses sublime_text.exe to open a .txt file within an attacker\'s %LOCALAPPDATA%\\Temp\\sublime_text folder. NOTE: the vendor\'s position is This does not appear to be a bug with Sublime Text, but rather one with Windows that has been patched. | MEDIUM | Feb 26, 2019 | n/a |
| CVE-2019-9117 | An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetNetworkTomographySettings API function, as demonstrated by shell metacharacters in the tomography_ping_number field. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9118 | An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetNTPServerSettings API function, as demonstrated by shell metacharacters in the system_time_timezone field. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9119 | An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetStaticRouteSettings API function, as demonstrated by shell metacharacters in the staticroute_list field. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9120 | An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetWLanACLSettings API function, as demonstrated by shell metacharacters in the wl(0).(0)_maclist field. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9121 | An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetSmartQoSSettings API function, as demonstrated by shell metacharacters in the smartqos_priority_devices field. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-9122 | An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the ntp_server parameter in an ntp_sync.cgi POST request. | MEDIUM | Mar 20, 2019 | n/a |
| CVE-2019-9123 | An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. The \"user\" account has a blank password. | HIGH | Mar 20, 2019 | n/a |
